'\" t
.\"     Title: pam_succeed_if
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
.\"      Date: 04/09/2024
.\"    Manual: Linux-PAM Manual
.\"    Source: Linux-PAM
.\"  Language: English
.\"
.TH "PAM_SUCCEED_IF" "8" "04/09/2024" "Linux\-PAM" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_succeed_if \- test account characteristics
.SH "SYNOPSIS"
.HP \w'\fBpam_succeed_if\&.so\fR\ 'u
\fBpam_succeed_if\&.so\fR [\fIflag\fR...] [\fIcondition\fR...]
.SH "DESCRIPTION"
.PP
pam_succeed_if\&.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items\&. One use is to select whether to load other modules based on this test\&.
.PP
The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\&.
.SH "OPTIONS"
.PP
The following
\fIflag\fRs are supported:
.PP
debug
.RS 4
Turns on debugging messages sent to syslog\&.
.RE
.PP
use_uid
.RS 4
Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&.
.RE
.PP
quiet
.RS 4
Don\*(Aqt log failure or success to the system log\&.
.RE
.PP
quiet_fail
.RS 4
Don\*(Aqt log failure to the system log\&.
.RE
.PP
quiet_success
.RS 4
Don\*(Aqt log success to the system log\&.
.RE
.PP
audit
.RS 4
Log unknown users to the system log\&.
.RE
.PP
\fICondition\fRs are three words: a field, a test, and a value to test for\&.
.PP
Available fields are
\fIuser\fR,
\fIuid\fR,
\fIgid\fR,
\fIshell\fR,
\fIhome\fR,
\fIruser\fR,
\fIrhost\fR,
\fItty\fR
and
\fIservice\fR:
.PP
field < number
.RS 4
Field has a value numerically less than number\&.
.RE
.PP
field <= number
.RS 4
Field has a value numerically less than or equal to number\&.
.RE
.PP
field eq number
.RS 4
Field has a value numerically equal to number\&.
.RE
.PP
field >= number
.RS 4
Field has a value numerically greater than or equal to number\&.
.RE
.PP
field > number
.RS 4
Field has a value numerically greater than number\&.
.RE
.PP
field ne number
.RS 4
Field has a value numerically different from number\&.
.RE
.PP
field = string
.RS 4
Field exactly matches the given string\&.
.RE
.PP
field != string
.RS 4
Field does not match the given string\&.
.RE
.PP
field =~ glob
.RS 4
Field matches the given glob\&.
.RE
.PP
field !~ glob
.RS 4
Field does not match the given glob\&.
.RE
.PP
field in item:item:\&.\&.\&.
.RS 4
Field is contained in the list of items separated by colons\&.
.RE
.PP
field notin item:item:\&.\&.\&.
.RS 4
Field is not contained in the list of items separated by colons\&.
.RE
.PP
user ingroup group[:group:\&.\&.\&.\&.]
.RS 4
User is in given group(s)\&.
.RE
.PP
user notingroup group[:group:\&.\&.\&.\&.]
.RS 4
User is not in given group(s)\&.
.RE
.PP
user innetgr netgroup
.RS 4
(user,host) is in given netgroup\&.
.RE
.PP
user notinnetgr group
.RS 4
(user,host) is not in given netgroup\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
All module types (\fBaccount\fR,
\fBauth\fR,
\fBpassword\fR
and
\fBsession\fR) are provided\&.
.SH "RETURN VALUES"
.PP
PAM_SUCCESS
.RS 4
The condition was true\&.
.RE
.PP
PAM_AUTH_ERR
.RS 4
The condition was false\&.
.RE
.PP
PAM_SERVICE_ERR
.RS 4
A service error occurred or the arguments can\*(Aqt be parsed correctly\&.
.RE
.SH "EXAMPLES"
.PP
To emulate the behaviour of
\fIpam_wheel\fR, except there is no fallback to group 0 being only approximated by checking also the root group membership:
.sp
.if n \{\
.RS 4
.\}
.nf
auth required pam_succeed_if\&.so quiet user ingroup wheel:root
    
.fi
.if n \{\
.RE
.\}
.PP
Given that the type matches, only loads the othermodule rule if the UID is over 500\&. Adjust the number after default to skip several rules\&.
.sp
.if n \{\
.RS 4
.\}
.nf
type [default=1 success=ignore] pam_succeed_if\&.so quiet uid > 500
type required othermodule\&.so arguments\&.\&.\&.
    
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBglob\fR(7),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
Nalin Dahyabhai <nalin@redhat\&.com>
